Protecting Passwords and Sensitive Data – With a Pen!

Many companies and government agencies will attempt to obfuscate printed confidential data or credentials by blacking them out with a marker before releasing reports publicly or discarding them. In many cases this is a very ineffectual method of protecting data from prying eyes.

The solution? A pen!

Here is a quick example – Let’s take this made up social security number:

Now, if we had this social security number on a paper that was going to be publicly released, many will just take a black marker and swipe over it. This seems to work great when the marker ink is wet, but when it dries, many times you can still see the data underneath!

Like so:

A little hard to see, but if we zoom in a bit:

As you can see, all the numbers are still very visible.

I used to do a lot of field network support. When onsite we would be handed a lot of printed confidential information. At times people would literally just write credentials on pieces of paper and hand them to us and say something like, “I am going to lunch, but here is my password”.

The paper would look something like this:

If you don’t have immediate access to a shredder, what can you do to make this information more secure or obfuscated before discarding it?

The power of the pen!

Many numbers and letters have the basic shape of others. Simply take a pen and convert them to look like something else.

Like so:

What works better is adding extra information to the data to obfuscate it even further, like so:

“T’s” can become “F’s”, “L” can become “U”‘s, numerous letters and numbers can be made to look like “8’s” and “B’s”. Use your imagination!

Now, compare the obfuscated social security number and account information with the originals above and notice the differences.

If you recovered the obfuscated ones, could you guess the correct data?

You can then run a black marker over it if you prefer, (always follow your organization’s policy on handling and discarding sensitive information) but as you can see from the examples, this is very effective.

There are times when printed reports with confidential data on them need to be publicly released, there are times when credentials or other important data will be written down, and there are times when a paper shredder may not be right at hand.

Physically changing the data, works much better than trying to scribble the data out or using a black marker alone. And it only takes a few seconds to obfuscate sensitive data with a pen!